Jump to content

1972vet

Experts
 View Profile  See their activity

  • Posts

    1,357

  • Joined

  • Last visited

 Content Type 

Posts posted by 1972vet

    Vundo/Malware Trace

    in Resolved Malware Removal Logs

    Posted

    the network name reverted back to "linksys" and is now unsecure. Unfortunately, whatever it is, it is still disabling my AV.

    Why is it unsecured? Are you not the system administrator?

    On most Linksys routers your username/password combination becomes empty on reset (no username) / with password "admin" (without the quotes). You need to establish a new strong password. I can't do that for you.

    Run hijackthis again and check the box next to this entry:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    ...close all open windows except for hijackthis, then click the Fix Checked button. Reboot the computer to properly record the change to the hard disk.

    Do you have your McAfee installation CD? Most software issues are resolved upon uninstall/reinstall of the software.

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    Very glad we could help. Warmest regards...

    This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    I see a clean log, congratulations! Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

    ComboFix /u

    Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

    ***Note***

    The licensed version provides real time protection and other automatic features otherwise not available.

    Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

    Vundo/Malware Trace

    in Resolved Malware Removal Logs

    Posted

    my IT guy said I should have Adaware and Spybot installed. Is this true? Should I go ahead and install these two programs?

    Please do not. Spybot is fine and I will give you instructions for it's proper use once we are finished with this cleanup. Adaware however would be a bit of overkill and in my opinion, would not be necessary given the fact that you will have been running your on board antivirus solution, mbam and spybot...those are sufficient.

    Please do this first:

    1. Unplug or turn off your DSL/cable modem.

    2. Locate the router's reset button.

    3. Press, and hold, the Reset button down for 30 seconds.

    4. Wait for your Power, WLAN and Internet light to turn on. (On the router)

    5. Plug in or turn on your modem.(if it is separate from the router)

    6. Open your web browser to see if you have an internet connection. If you still don't have an internet connection you may need to restart your computer.

    Once you establish an internet connection, please open another blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Once again, combofix will run again automatically. Please post back the new log that will be generated along with a fresh HijackThis log. Thanks!

    KillAll::

    Rootkit::

    c:\windows\system32\drivers\wqoxkkm.sys

    Driver::

    wqoxkkm

    Registry::

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

    Random Popups - logs attached

    in Resolved Malware Removal Logs

    Posted

    Do you use netmeeting?

    Please uninstall these:

    ViewPoint View Manager

    Viewpoint Media Player

    FrostWire

    Click start-->Control Panel-->Add/Remove Programs...scroll down the list and locate the program names. Click Remove for each...then reboot when finished uninstalling.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated along with a fresh HijackThis log. Thanks!

    File::

    c:\winnt\system32\cygz.dll

    c:\winnt\Tasks\AE674AD09110FBE8.job

    c:\docume~1\owner\applic~1\nurbpr~1\Antecampmp3.exe

    Folder::

    c:\documents and settings\Owner\Application Data\FrostWire

    c:\program files\FrostWire

    Registry::

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "c:\Program Files\FrostWire\FrostWire.exe"=-

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b415f0-7f86-11dd-a417-000cf18d549f}]

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee56afba-77ae-11dd-a412-000cf18d549f}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    Excellent! Looks like that did it in spite of the fact that I explained myself backwards:

    ..and there should be no space there

    ...and that should read:

    ."..and there should be a space there." The format issue was, I believe, my own text editor removing the space at the line break when "nt" appears on the next line below "windows". My problem, not the forum.

    On to business. Let's see a fresh HijackThis log now and please advise us how the system is behaving for you. Thanks!

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    This one is stubborn and I'm not so sure it's unrelated to a formatting issue. The only remaining problem is the AppInit_DLLs corrupted entry for rnofma.dll. The .reg file we used should have corrected the issue, however, on further examination, the entry in your log shows a space between "windows" and "nt" here:

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=rnofma.dll

    ...and there should be no space there. The .reg file we used does not contain a space. This mismatch may only be this forum software formatting but we'll see.

    Let's be sure to perform the steps below exactly as detailed:

    Copy the data in the code box below into notepad and save it as deletereg.reg

    Set File type to "all files"

    REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=-"AppInit_DLLs"=""

    Double-click that file and confirm you want to merge it with the registry.

    Next, please open another blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    Rootkit::

    c:\windows\system32\rnofma.dll

    Can't remove these two

    in Resolved Malware Removal Logs

    Posted

    This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

    Can't remove these two

    in Resolved Malware Removal Logs

    Posted

    Excellent! You did good work dbntina.

    Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

    ComboFix /u

    Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

    ***Note***

    The licensed version provides real time protection and other automatic features otherwise not available.

    Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

    Vundo/Malware Trace

    in Resolved Malware Removal Logs

    Posted

    OK, we'll try this again a different way...

    Please open another blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    Rootkit::

    c:\windows\system32\drivers\wqoxkkm.sys

    Driver::

    wqoxkkm

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    You didn't answer my question:

    Did you have some trouble using the .reg file from the previous instruction?

    Please open another blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    File::

    c:\windows\system32\rnofma.dll

    Windows Update Help

    in General Windows PC Help

    Posted

    Excellent dirtriderwjc2000...glad you have it sorted out now. For future reference, please note that you really should create a new thread with your issue rather than posting in a thread someone else started. It makes things less complicated for other users who may happen along and find the thread while perusing the forums. Thanks for understanding.

    Step 2 the zip file was not there.

    Ahh...and so it wasn't. Forgive me for failing to check those active links. Since it's not likely to reappear on the web site referenced in that link, I'll have to render a manual fix instead.

    In the future, should you (or anyone else) need to run through those steps again, substitute the .reg fix below for the step 2 from the above instructions:

    Step 2: Register the related BITS key in the Registry

    Copy the text below (in the code box) and save it as FixBits.reg...Set File type to "all files"

    Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]"Type"=dword:00000020"Start"=dword:00000002"ErrorControl"=dword:00000001"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00"DisplayName"="Background Intelligent Transfer Service""DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00"DependOnGroup"=hex(7):00,00"ObjectName"="LocalSystem""Description"="Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.""FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Parameters]"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,71,00,6d,00,\  67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Security]"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Enum]"0"="Root\\LEGACY_BITS\\0000""Count"=dword:00000001"NextInstance"=dword:00000001

    Double-click that file and confirm you want to merge it with the registry.

    Reboot the computer.

    *************************************

    ...from here then, you can carry on with the next step. Again, sorry 'bout that.

    infected registry keys - bho & vundo

    in Resolved Malware Removal Logs

    Posted

    This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    Did you have some trouble using the .reg file from the previous instruction? Are you certain you followed the direction exactly as detailed for the .reg file portion of that instruction?

    The reason I ask is because your combofix log shows that the AppInit entry is still corrupted...and that .reg file should have corrected this. Please go over the instruction once more for using the .reg file in the previous instruction.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    File::

    E80F62FF5D3C4A1984099721F2928206.TMP

    Folder::

    c:\program files\LimeWire

    Hijackthis.log & Malwarebytes. log posted

    in Resolved Malware Removal Logs

    Posted

    This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

    Hijackthis.log & Malwarebytes. log posted

    in Resolved Malware Removal Logs

    Posted

    OK, install the latest version of Java Here (First download link).

    Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

    ComboFix /u

    Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

    ***Note***

    The licensed version provides real time protection and other automatic features otherwise not available.

    Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

    Windows Update Help

    in General Windows PC Help

    Posted

    While the fix below won't do a thing for you if your copy of windows hasn't been validated, I suggest you give this a try and post back your results:

    Add these sites to your "Trusted Zone" in I.E.

    Tools -> Internet Options -> Security -> Trusted Sites -> Sites -> Add this Web site to the zone:

    http://*.windowsupdate.microsoft.com (Add)

    http://download.windowsupdate.com (Add)

    http://update.microsoft.com/ (Add)

    https://*.windowsupdate.microsoft.com (Add)

    https://windowsupdate.microsoft.com (Add)

    Don't click the box which reads:

    "Require server verification (https:) for all sites in this zone"

    Then click OK and OK again.

    Then proceed with the steps below...

    Step 1: Restart the BITS and AU services

    1. Click Start, and then click Control Panel.

    2. Click switch to a Classic View in left panel.

    3. Double-click Administrative Tools.

    4. Double-Click Services. (or go to Run and type in services.msc )

    5. Double-click the service "Background Intelligent Transfer Service".

    6. Click the Log On tab, ensure the option "Local System account" is selected and the option "Allow service to interact with desktop" is unchecked.

    7. Check if this service has been enabled on the listed Hardware Profile. If not, click the Enable button to enable it.

    8. Click on the "General" tab and make sure the "Startup Type" is "Automatic" or "Manual".

    9. Then click the "Start" button under "Service Status" to start the service.

    10. Repeat the above steps with another service: "Automatic Updates"

    After Step 1, go to the Windows Update website and check if the problem still exists. If there is still a problem, continue with Step 2.

    Step 2: Register the related BITS key in the Registry

    Download BITSservice.zip and unzip it to the desktop. You will get the BITSservice.reg files

    ***** BACK UP YOUR REGISTRY FIRST *****

    {If you don't know how to back up your registry, you are advised to carefully read the Elder Geek Registry Back-Up Info}

    Double click it and click OK to import the registry information to your system. (This adds more permissions to the users of your PC)

    After Step 1 and Step 2, go to the Windows Update website and check if the problem still exists. If the problem persists, go on with Step 3.

    Step 3: Register related dll files

    This step will tell you if the update engines are working properly.

    Before proceeding, Close all instances of Internet Explorer.

    1. Click Start, click Run, type Regsvr32 qmgr.dll in the Open box, and then click OK.

    2. Click OK.

    3. Click Start, click Run, type Regsvr32 qmgrprxy.dll in the Open box, and then click OK.

    4. Click OK.

    Similarly, one by one, register the files listed below:

    REGSVR32 ATL.DLL

    REGSVR32 MSXML3.DLL

    REGSVR32 WUAPI.DLL

    REGSVR32 WUAUENG.DLL

    REGSVR32 WUAUENG1.DLL

    REGSVR32 WUPS2.DLL

    REGSVR32 WUCLTUI.DLL

    REGSVR32 WUPS.DLL

    REGSVR32 WUWEB.DLL

    REGSVR32 JSCRIPT.DLL

    Note: Please try and register all the files. While registering each .DLL file you should get a "succeeded" message.

    5. Click Start, click Run, type cmd and press Enter.

    6. In the Command Prompt window, input the following commands. Press Enter after each command:

    net stop bits

    [Enter]

    (If you receive any error message here, such as:

    The BITS service is not started

    NET HELPMSG 3521

    just ignore it)

    rd /q /s %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader

    (all on one line, of course)

    [Enter]

    (If you receive any error messages here, such as:

    The system cannot find the file specified

    The system cannot find the file specified

    The system cannot find the file specified

    The system cannot find the file specified

    The system cannot find the file specified

    just ignore them)

    [or do - in lieu of previous rd step]:

    a. Change to the download directory --

    cd %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader

    [Enter] (This will probably be:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader

    for those people more comfortable using Explorer)

    b. List all Files in this Folder --

    dir

    [Enter]

    c. Delete all Files in this Folder --

    del *.*

    [Enter]

    d. OR you can just Delete the Folder --

    rd

    {which does the same thing as Steps b.) and c.)} [Enter]

    MAKE SURE you're in the Folder specified in Step a.) or you will Delete the wrong Folder/Files. (If you're NOT comfortable with DOS, then use Explorer)

    e. You MAY ALSO have to do the above with:

    %WINDIR%\SoftwareDistribution\Download

    (Which is: C:\Windows\SoftwareDistribution\Download for those people more comfortable using Explorer)

    and:

    %WINDIR%\SoftwareDistribution\DataStore

    (Which is: C:\Windows\SoftwareDistribution\DataStore for those people more comfortable using Explorer)

    f. Also (in Windows Explorer),go to:

    C:\Windows\inf

    Scroll down and find the branches.inf File

    Right click it and click Properties and make sure the Read Only Attribute box is NOT checked.

    net start bits

    [Enter]

    (If you receive any error message here, such as:

    The BITS service is starting

    BITS could not be started

    A Service Specific Error occurred: 2147942405 (which is the decimal equiv. for 0x80070005)

    NET HELPMSG 3547

    just ignore it)

    exit

    [Enter]

    After Step 1, Step 2 and Step 3, go to the Windows Update website and check if the problem still exists.

    If there is still a problem, continue with Step 4

    Step 4: Add permissions to access related folders and registry keys

    ***** BACK UP YOUR REGISTRY FIRST *****

    {If you don't know how to back up your registry, you are advised to carefully read the Elder Geek Registry Back-Up Info}

    1. Click Start and click Run.

    2. In the Open box, type REGEDIT, and then click OK.

    3. In the left panel, you can find the root key "HKEY_CLASSES_ROOT".

    4. Right-click HKEY_CLASSES_ROOT and click Permissions.

    5. Select Everyone in the "Group or user names" list.

    You may not have a Group or User Name called "Everyone" and have something like the below:

    ADMINISTRATORS [Allow - Full Control/Read]

    CREATOR OWNER [Allow - Special Permissions]

    POWER USERS [Allow - Read/Special Permissions]

    SYSTEM [Allow - Full Control/Read]

    USERS [Allow - Read]

    If you don't have a Group or User Name called "Everyone":

    Click Add, type Everyone in the open text box and click Check Names, then click OK.

    (now do Step #5 again -- Select Everyone in the "Group or user names" list.)

    6. Under Permissions for Everyone, click to select the "Full Control" check box in the Allow column.

    7. Select each user, in turn, in the Group or user names list, and then verify that no check boxes are selected in the Deny column. Clear any check boxes that are selected in the Deny column.

    8. Click the Advanced button, click the "Replace permission entries on all child objects" check box and then click OK.

    You might have:

    The "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." box was unchecked.

    The "Replace permission entries on all child objects with entries shown here that apply to child objects." box was also unchecked.

    (I checked the "Replace permission entries..." box and clicked Apply.)

    9. Click Yes if you are prompted for confirmation, and then click OK to close the dialog box.

    Note: You MAY receive the following message. It is normal, because the permission of some registry keys cannot be reset: <blockquote."Error: The Registry Editor could not set security in the key currently selected, or some of its subkeys."</blockquote>

    (If you receive this message, click OK).

    10. Locate HKEY_LOCAL_MACHINE and perform the above steps again. (This will also take you several minutes and you MAY receive an error message at this step. Click OK to continue)

    You may have something like the below in the "Group or user names" box:

    ADMINISTRATORS [Allow - Full Control/Read]

    EVERYONE [Allow - Read]

    RESTRICTED [Allow - Read]

    SYSTEM [Allow - Full Control/Read]

    You may have:

    The "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." box was already checked.

    The "Replace permission entries on all child objects with entries shown here that apply to child objects." box was unchecked.

    (I checked the "Replace permission entries..." box and clicked Apply.)

    Step 5: In case you get Error 0x8007043b

    ***** BACK UP YOUR REGISTRY FIRST *****

    {If you don't know how to back up your registry, you are advised to carefully read the Elder Geek Registry Back-Up Info}

    1. Click Start and click Run.

    2. In the Open box, type REGEDIT, and then click OK.

    3. Navigate to the following key:

    HKEY_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\SvcHost

    (.... but do not expand the SvcHost key in the left panel).

    4. In the right panel, double-click the netsvcs key, which will open a pop up box, entitled, "Edit Multistring".

    5. Under the "Value data:" box will be a list of services. Add BITS and wuauserv (on separate lines) to the list of services (if they are not listed already).

    6. Click OK

    7. Exit the registry

    8. Re-boot the system (mandatory or the changes won't go into effect).

    Step 6: In case you get Error 0x80246008

    ***** BACK UP YOUR REGISTRY FIRST *****

    {If you don't know how to back up your registry, you are advised to carefully read the Elder Geek Registry Back-Up Info}

    1. 0x80246008 is the error you get when Automatic Update fails. When you try to Start it Manually, you get a 2147024894 error.

    2. Instead of me rewriting another very long set of instructions, first check out PC Review

    3. Read his problem and then that will lead you to Re-installing the BITS Service on Windows XP SP2 When It Has Been Corrupted

    4. Follow those instructions as posted.

    5. You'll notice that there are many references given at the bottom of that post in Step 3, one of which happens to be this thread!!

    6. Read the other links at the bottom of that post too. They also contain some very good information. If you follow all the links to their respective 'end of the roads', so to speak, you will see that a LOT of problems are caused by interactions with Symantec products (i.e. upgrading, installation, uninstalls, etc.).

    It figures - once you have a Symantec product, you're stuck. You can't back out, you can't upgrade, you can't install new and their Customer (Dis)Service costs a bundle, never mind that even if you DO pay, more often than not, they can't help you anyway. Eventually, you can work your way out of it, but I've seen people go for up to a year before they finally straighten it all out. How's THAT for a Norton recommendation?!!

    7. There are other helpful hints on the other pages in this thread, so it is recommended reading through all those too. Everybody's PC setup is unique and the problems with BITS are almost endless, but a LOT of people have written with success stories and additions and suggestions.

    [in case you need the below to send to the M.S. Tech. Rep.]:

    Windows Update Log

    1. Click on Start -> Run

    2. Type: "WindowsUpdate.log" (with double quotes) and Click OK

    3. Click File -> Save As and save the file into a specified folder.

    Event Logs

    1. Click on Start -> Run

    2. Type: "eventvwr" (without the quotation marks) and Click OK.

    3. Right click Application Log and choose Save Log file As... >> Save the log file as app.evt.

    4. Right click System Log and choose Save Log file As... >> Save the log file as sys.evt.

    System Information File

    1. Click on Start -> Run

    2. Type: msinfo32 and click OK.

    3. Click File -> Save and save the file into a specified folder.

    (congrats to everyone that contributed to this article)

    Hijackthis.log & Malwarebytes. log posted

    in Resolved Malware Removal Logs

    Posted

    Copy and paste the following into a blank NotePad:

    sc stop RoxLiveShare10

    sc stop cFosSpeedS

    sc stop CLTNetCnService

    sc stop SessionLauncher

    sc delete RoxLiveShare10

    sc delete cFosSpeedS

    sc delete CLTNetCnService

    sc delete SessionLauncher

    Click File-->Save as and name the file delservice.bat

    Under "Save as type" Select "all files" and save it to your Desktop.

    Double-click the delservice.bat file on your Desktop. When the batch completes, delete the .bat file and Reboot the system.

    Please post back a fresh HijackThis log. We're almost finished. Thanks!

    infected registry keys - bho & vundo

    in Resolved Malware Removal Logs

    Posted

    Please uninstall the following software:

    Adobe Acrobat 6.0 (Out of date and exploited. Download the latest version Here

    Frontier MyWay Tool Bar

    Please click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove. Reboot when finished uninstalling.

    Please run HijackThis again and check the following:

    O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll

    O23 - Service: McAfee Application Installer Cleanup (0031171232541543) (0031171232541543mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\003117~1.EXE

    Close all other open windows now except for HijackThis (that includes this browser window), then click the Fix Checked button. Locate and delete the following folder indicated in Bold text:

    C:\Program Files\FrontierBA

    ...then reboot to properly record those changes to the hard disk.

    Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

    ComboFix /u

    Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

    ***Note***

    The licensed version provides real time protection and other automatic features otherwise not available.

    Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

    Hijackthis.log & Malwarebytes. log posted

    in Resolved Malware Removal Logs

    Posted

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    File::

    c:\windows\system32\nkuhlvv.dll

    NetSvc::

    kqlyjukx

    Driver::

    kqlyjukx

    Registry::

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A595BAAE-425A-4A8D-A822-C8008F0966E5}]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zhcryrvt]

    unable to run MWB update-firewall/internet connection error??

    in Resolved Malware Removal Logs

    Posted

    Uninstall the following software:

    Bit DNA

    LimeWire

    Acrobat 7.0 Reader (Out of date and exploited...download the latest version Here

    Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove. Reboot when finished uninstalling.

    Copy the data in the code box below into notepad and save it as FixAppInit.reg

    Set File type to "all files"

    REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows]"AppInit_DLLs"=-"AppInit_DLLs"=""

    Double-click that file and confirm you want to merge it with the registry.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    File::

    c:\program files\LimeWireWin.exe

    Folder::

    c:\program files\DNA

    Registry::

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "c:\Program Files\LimeWire\LimeWire.exe"=-

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.